Re: Possible flaw in XFree?

From: Philip Rowlands (phrat_private)
Date: Fri Jun 28 2002 - 09:18:08 PDT

  • Next message: Michael Greenberg: "Re: OpenSSH Vulns (new?) Priv seperation"

    On Thu, 27 Jun 2002, William N. Zanatta wrote:
    
    >   1. Logged into the system as 'william' (a normal non-privileged user).
    >   2. startx
    >   3. Run xlock
    >   ... the screen is now locked...
    >   4. Tried a hit on some keys. The password screen appears.
    >   5. Then, 'ctrl-alt-backspace' and voila... X is down and my console
    >is there, opened for me.
    >
    >   I see this as a serious problem once one could let his/her X session
    >opened and locked and anyone who have access to that machine could abort
    >the X session and start playing around with the logged user's shell
    >(which could be the root shell).
    
    That's a feature, not a bug :) If you don't like it, set
    Option "DontZap" "on"
    in your config file. Or use {g,k,x}dm rather than startx, then at least
    you don't drop to a shell.
    
    
    Cheers,
    
    Phil
    



    This archive was generated by hypermail 2b30 : Fri Jun 28 2002 - 10:22:12 PDT